ArcaneDoor – New espionage-focused campaign found targeting perimeter network devices
ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.
As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective.
Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications
Analysis from our SOC team
The ArcaneDoor campaign signifies a concerning trend of state-sponsored actors targeting vital perimeter network devices, exemplified by the exploitation of Cisco Adaptive Security Appliances (ASA).
Identified as UAT4356 and STORM-1849, the attackers demonstrated sophistication and a focus on espionage. Utilizing bespoke tools like “Line Runner” and “Line Dancer,” they conducted various malicious activities, exploiting critical vulnerabilities (CVE-2024-20353 and CVE-2024-20359).
With a global impact on government and critical infrastructure networks, organizations must prioritize patching, robust authentication measures, and collaborative threat intelligence sharing to mitigate such threats effectively.
Approach SOC team can assist you in the event of an incident or suspected compromise.
CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0.
Customers using a DMZ in front of their main CrushFTP instance are partially protected with its protocol translation system it utilizes.
Analysis from our SOC team
This vulnerability already being exploited in the wild, applying the patch should be at the top of your priority list. If not done already, this could be a good opportunity to look at recommendation for further hardening of your crushFTP instance, as explained here.
It is also a good practice to make sure there is no trace of a compromise, even after applying the patch.
Approach SOC team can assist you in the event of an incident or suspected compromise.
In a move away from traditional phishing scams, attackers are increasingly exploiting vulnerabilities in computer systems to gain initial network access, according to Mandiant’s M-Trends 2024 Report.
In 2023, attackers gained initial access through exploiting vulnerabilities in 38% of intrusions, a 6% increase from the previous year.
Mandiant also found phishing’s prevalence declined from 22% of intrusions in 2022 to 17% in 2023. However, it was still the second most common initial access vector assessed by Mandiant.
Analysis from our SOC team
Mandiant’s M-Trends 2024 Report reveals a notable shift in cyber attack strategies, with attackers increasingly exploiting system vulnerabilities over traditional phishing methods, as highlighted by the rise in zero-day vulnerabilities, with 97 unique cases observed in 2023, a 56% increase from the previous year.
This transition from phishing to zero-day exploits might partially be attributed to the increased awareness of phishing within organizations.
The report underscores the importance of enhanced security measures to counteract the growing sophistication of attackers in targeting organizations’ vulnerabilities.
The FPS Economy is launching the www.stoparnaques.be website, which provides an overview of the most common scams. You will also find out how to recognise them and how to protect yourself against them.
Analysis from our SOC team
This new website from the FPS Economy provides great tips and explanations on how to identify threats and how to react, but also on how to protect those you care about.
Everyone should make use of this website, no matter if it is for personal benefit or to spread awareness.
Our SOC is also available to assist in case there are any doubts or suspicions about text or mail messages.
